Payment Card Industry (PCI )Data Security Standard pot

Wireless If wireless technology is used to store, process, or transmit cardholder data for example, point-of-sale transactions, ―line-busting‖, or if a wireless local area network WLAN

Payment Card Industry (PCI)

Data Security Standard

Requirements and Security Assessment Procedures

Version 2.0

October 2010

from PCI DSS Version 1.1 to 1.2

July

2009 1.2.1

Add sentence that was incorrectly deleted between PCI DSS v1.1 and v1.2 5 Correct ―then‖ to ―than‖ in testing procedures 6.3.7.a and 6.3.7.b 32 Remove grayed-out marking for ―in place‖ and ―not in place‖ columns in testing procedure 6.5.b 33 For Compensating Controls Worksheet – Completed Example, correct wording at top of page to say ―Use

this worksheet to define compensating controls for any requirement noted as ‗in place‘ via compensating controls.‖

Table of Contents

Document Changes 2

Introduction and PCI Data Security Standard Overview 5

PCI DSS Applicability Information 7

Relationship between PCI DSS and PA-DSS 9

Scope of Assessment for Compliance with PCI DSS Requirements 10

Network Segmentation 10

Wireless 11

Third Parties/Outsourcing 11

Sampling of Business Facilities/System Components 12

Compensating Controls 13

Instructions and Content for Report on Compliance 14

Report Content and Format 14

Revalidation of Open Items 17

PCI DSS Compliance – Completion Steps 18

Detailed PCI DSS Requirements and Security Assessment Procedures 19

Build and Maintain a Secure Network 20

Requirement 1: Install and maintain a firewall configuration to protect cardholder data 20

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 24

Protect Cardholder Data 28

Requirement 3: Protect stored cardholder data 28

Requirement 4: Encrypt transmission of cardholder data across open, public networks 35

Maintain a Vulnerability Management Program 37

Requirement 5: Use and regularly update anti-virus software or programs 37

Requirement 6: Develop and maintain secure systems and applications 38

Implement Strong Access Control Measures 44

Requirement 7: Restrict access to cardholder data by business need to know 44

Requirement 8: Assign a unique ID to each person with computer access 46

Requirement 9: Restrict physical access to cardholder data 51

Regularly Monitor and Test Networks 55

Requirement 11: Regularly test security systems and processes 59

Maintain an Information Security Policy 64

Requirement 12: Maintain a policy that addresses information security for all personnel 64

Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers 70

Appendix B: Compensating Controls 72

Appendix C: Compensating Controls Worksheet 73

Compensating Controls Worksheet – Completed Example 74

Appendix D: Segmentation and Sampling of Business Facilities/System Components 75

Introduction and PCI Data Security Standard Overview

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally PCI DSS provides a baseline of technical and operational requirements

designed to protect cardholder data PCI DSS applies to all entities involved in payment card processing – including merchants, processors,

acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data PCI DSS comprises a

minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks Below is a high-level overview of the 12 PCI DSS requirements

This document, PCI Data Security Standard Requirements and Security Assessment Procedures, combines the 12 PCI DSS requirements and

corresponding testing procedures into a security assessment tool It is designed for use during PCI DSS compliance assessments as part of an entity’s validation process The following sections provide detailed guidelines and best practices to assist entities prepare for, conduct, and report

the results of a PCI DSS assessment The PCI DSS Requirements and Testing Procedures begin on page 19

The PCI Security Standards Council (PCI SSC) website (www.pcisecuritystandards.org) contains a number of additional resources, including:

 Attestations of Compliance

 Navigating PCI DSS: Understanding the Intent of the Requirements

 The PCI DSS and PA-DSS Glossary of Terms, Abbreviations and Acronyms

 Frequently Asked Questions (FAQs)

 Information Supplements and Guidelines

Please refer to www.pcisecuritystandards.org for more information

Note: Information Supplements

complement the PCI DSS and identify additional considerations and

recommendations for meeting PCI DSS requirements – they do not change, eliminate or supersede the PCI DSS or any

of its requirements

PCI DSS Applicability Information

PCI DSS applies wherever account data is stored, processed or transmitted Account Data consists of Cardholder Data plus Sensitive

Authentication Data, as follows:

Cardholder Data includes: Sensitive Authentication Data includes:

 Primary Account Number (PAN)

The primary account number is the defining factor in the applicability of PCI DSS requirements PCI DSS requirements are applicable if a

primary account number (PAN) is stored, processed, or transmitted If PAN is not stored, processed or transmitted, PCI DSS requirements do not apply

If cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the

cardholder data environment, they must be protected in accordance with all PCI DSS requirements except Requirements 3.3 and 3.4, which apply

only to PAN

PCI DSS represents a minimum set of control objectives which may be enhanced by local, regional and sector laws and regulations Additionally, legislation or regulatory requirements may require specific protection of personally identifiable information or other data elements (for example, cardholder name), or define an entity’s disclosure practices related to consumer information Examples include legislation related to consumer data protection, privacy, identity theft, or data security PCI DSS does not supersede local or regional laws, government regulations, or other legal requirements

The following table illustrates commonly used elements of cardholder and sensitive authentication data, whether storage of each data element is permitted or prohibited, and whether each data element must be protected This table is not exhaustive, but is presented to illustrate the different types of requirements that apply to each data element

Data Element

Storage Permitted

Render Stored Account Data Unreadable per Requirement 3.4

Cardholder Data

Sensitive Authentication Data 1

Full Magnetic Stripe Data 2 No Cannot store per Requirement 3.2 CAV2/CVC2/CVV2/CID No Cannot store per Requirement 3.2 PIN/PIN Block No Cannot store per Requirement 3.2 PCI DSS requirements 3.3 and 3.4 apply only to PAN If PAN is stored with other elements of cardholder data, only the PAN must be rendered unreadable according to PCI DSS Requirement 3.4

PCI DSS only applies if PANs are stored, processed and/or transmitted

Relationship between PCI DSS and PA-DSS

Use of a PA-DSS compliant application by itself does not make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment and according to the PA-DSS Implementation Guide provided by the payment application vendor (per PA-DSS Requirement 13.1)

The requirements for the Payment Application Data Security Standard (PA-DSS) are derived from the PCI DSS Requirements and Security

Assessment Procedures (this document) The PA-DSS details what a payment application must support to facilitate a customer’s PCI DSS

compliance

Secure payment applications, when implemented in a PCI DSS-compliant environment, will minimize the potential for security breaches leading to compromises of full magnetic stripe data, card verification codes and values (CAV2, CID, CVC2, CVV2), and PINs and PIN blocks, along with the damaging fraud resulting from these breaches

Just a few of the ways payment applications can prevent compliance include:

 Storage of magnetic stripe data and/or equivalent data from the chip in the customer's network after authorization;

 Applications that require customers to disable other features required by the PCI DSS, like anti-virus software or firewalls, in order to get the payment application to work properly; and

 Vendors’ use of unsecured methods to connect to the application to provide support to the customer

The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties

Please note the following regarding PA-DSS applicability:

 PA-DSS does apply to payment applications that are typically sold and installed ―off the shelf‖ without much customization by software

vendors

 PA-DSS does not apply to payment applications developed by merchants and service providers if used only in-house (not sold,

distributed, or licensed to a third party), since this in-house developed payment application would be covered as part of the merchant’s or service provider’s normal PCI DSS compliance

For detailed guidance on determining whether PA-DSS applies to a given payment application, please refer to the PA-DSS Requirements and Security Assessment Procedures, which can be found at www.pcisecuritystandards.org

Scope of Assessment for Compliance with PCI DSS Requirements

The PCI DSS security requirements apply to all system components In the context of PCI DSS, ―system components‖ are defined as any network component, server, or application that is included in or connected to the cardholder data environment ―System components‖ also include any virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors The cardholder data environment is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive

authentication data Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances Server types include, but are not limited to the following: web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS) Applications include all purchased and custom applications, including internal and external (for example, Internet) applications

The first step of a PCI DSS assessment is to accurately determine the scope of the review At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensuring they are included in the PCI DSS scope To confirm the accuracy and appropriateness of PCI DSS scope, perform the following:

 The assessed entity identifies and documents the existence of all cardholder data in their environment, to verify that no cardholder data exists outside of the currently defined cardholder data environment (CDE)

 Once all locations of cardholder data are identified and documented, the entity uses the results to verify that PCI DSS scope is appropriate (for example, the results may be a diagram or an inventory of cardholder data locations)

 The entity considers any cardholder data found to be in scope of the PCI DSS assessment and part of the CDE unless such data is

deleted or migrated/consolidated into the currently defined CDE

 The entity retains documentation that shows how PCI DSS scope was confirmed and the results, for assessor review and/or for reference during the next annual PCI SCC scope confirmation activity

Network Segmentation

Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entity’s network is not a PCI DSS requirement However, it is strongly recommended as a method that may reduce:

 The scope of the PCI DSS assessment

 The cost of the PCI DSS assessment

 The cost and difficulty of implementing and maintaining PCI DSS controls

 The risk to an organization (reduced by consolidating cardholder data into fewer, more controlled locations)

Without adequate network segmentation (sometimes called a "flat network") the entire network is in scope of the PCI DSS assessment Network segmentation can be achieved through a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists, or other technologies that restrict access to a particular segment of a network

An important prerequisite to reduce the scope of the cardholder data environment is a clear understanding of business needs and processes related to the storage, processing or transmission of cardholder data Restricting cardholder data to as few locations as possible by elimination of unnecessary data, and consolidation of necessary data, may require reengineering of long-standing business practices

Documenting cardholder data flows via a dataflow diagram helps fully understand all cardholder data flows and ensures that any network

segmentation is effective at isolating the cardholder data environment

If network segmentation is in place and being used to reduce the scope of the PCI DSS assessment, the assessor must verify that the

segmentation is adequate to reduce the scope of the assessment At a high level, adequate network segmentation isolates systems that store, process, or transmit cardholder data from those that do not However, the adequacy of a specific implementation of network segmentation is highly variable and dependent upon a number of factors, such as a given network's configuration, the technologies deployed, and other controls that may

be implemented

Appendix D: Segmentation and Sampling of Business Facilities/System Components provides more information on the effect of network

segmentation and sampling on the scope of a PCI DSS assessment

Wireless

If wireless technology is used to store, process, or transmit cardholder data (for example, point-of-sale transactions, ―line-busting‖), or if a wireless local area network (WLAN) is connected to, or part of, the cardholder data environment (for example, not clearly separated by a firewall), the PCI DSS requirements and testing procedures for wireless environments apply and must be performed (for example, Requirements 1.2.3, 2.1.1, and 4.1.1) Before wireless technology is implemented, an entity should carefully evaluate the need for the technology against the risk Consider

deploying wireless technology only for non-sensitive data transmission

For those entities that outsource storage, processing, or transmission of cardholder data to third-party service providers, the Report on

Compliance (ROC) must document the role of each service provider, clearly identifying which requirements apply to the assessed entity and which apply to the service provider There are two options for third-party service providers to validate compliance:

1) They can undergo a PCI DSS assessment on their own and provide evidence to their customers to demonstrate their compliance; or 2) If they do not undergo their own PCI DSS assessment, they will need to have their services reviewed during the course of each of their customers’ PCI DSS assessments

See the bullet beginning ―For managed service provider (MSP) reviews,‖ in Item 3, ―Details about Reviewed Environment,‖ in the ―Instructions and Content for Report on Compliance‖ section, below, for more information

Additionally, merchants and service providers must manage and monitor the PCI DSS compliance of all associated third-party service providers

with access to cardholder data Refer to Requirement 12.8 in this document for details

Sampling of Business Facilities/System Components

Sampling is not a PCI DSS requirement However, after considering the overall scope and complexity of the environment being assessed, the assessor may independently select representative samples of business facilities/system components in order to assess PCI DSS requirements These samples must be defined first for business facilities and then for system components within each selected business facility Samples must

be a representative selection of all of the types and locations of business facilities, as well as types of system components within selected

business facilities Samples must be sufficiently large to provide the assessor with assurance that controls are implemented as expected

Sampling of business facilities/system components for an assessment does not reduce the scope of the cardholder data environment or the

applicability of PCI DSS requirements Whether or not sampling is to be used, PCI DSS requirements apply to the entire cardholder data

environment If sampling is used, each sample must be assessed against all applicable PCI DSS requirements Sampling of the PCI DSS

Requirements themselves is not permitted

Examples of business facilities include but are not limited to: corporate offices, stores, franchise locations, processing facilities, data centers, and other facility types in different locations Sampling should include system components within each selected business facility For example, for each business facility selected, include a variety of operating systems, functions, and applications that are applicable to the area under review

As an example, the assessor may define a sample at a business facility to include Sun servers running Apache WWW, Windows servers running Oracle, mainframe systems running legacy card processing applications, data transfer servers running HP-UX, and Linux Servers running

MYSQL If all applications run from a single version of an OS (for example, Windows 7 or Solaris 10), then the sample should still include a variety

of applications (for example, database servers, web servers, data transfer servers)

When independently selecting samples of business facilities/system components, assessors should consider the following:

 If there are standard, centralized PCI DSS security and operational processes and controls in place that ensure consistency and that each business facility/system component must follow, the sample can be smaller than if there are no standard processes/controls in place The sample must be large enough to provide the assessor with reasonable assurance that all business facilities/system components are

configured per the standard processes

 If there is more than one type of standard security and/or operational process in place (for example, for different types of business

facilities/system components), the sample must be large enough to include business facilities/system components secured with each type

of process

 If there are no standard PCI DSS processes/controls in place and each business facility/system component is managed through standard processes, the sample must be larger for the assessor to be assured that each business facility/system component has

non-implemented PCI DSS requirements appropriately

For each instance where sampling is used, the assessor must:

 Document the rationale behind the sampling technique and sample size,

 Document and validate the standardized PCI DSS processes and controls used to determine sample

size, and

 Explain how the sample is appropriate and representative of the overall population

Assessors must revalidate the sampling rationale for each assessment If sampling is to be used, different

samples of business facilities and system components must be selected for each assessment

Compensating Controls

On an annual basis, any compensating controls must be documented, reviewed and validated by the assessor and included with the Report on

Compliance submission, per Appendix B: Compensating Controls and Appendix C: Compensating Controls Worksheet

For each and every compensating control, the Compensating Controls Worksheet (Appendix C) must be completed Additionally, compensating

control results should be documented in the ROC in the corresponding PCI DSS requirement section

See the above-mentioned Appendices B and C for more details on ―compensating controls.‖

Please also refer to:

Appendix D: Segmentation and Sampling of Business Facilities/System

Components

Instructions and Content for Report on Compliance

This document must be used as the template for creating the Report on Compliance The assessed entity should follow each payment brand’s

respective reporting requirements to ensure each payment brand acknowledges the entity’s compliance status Contact each payment brand to determine reporting requirements and instructions

Report Content and Format

Follow these instructions for report content and format when completing a Report on Compliance:

1 Executive Summary

Include the following:

 Describe the entity’s payment card business, including:

- Their business role with payment cards, which is how and why they store, process, and/or transmit cardholder data

Note: This is not intended to be a cut-and- paste from the entity‘s web site, but should be a tailored description that shows the assessor understands payment and the entity‘s role

- How they process payment (directly, indirectly, etc.)

- What types of payment channels they serve, such as card-not-present (for example, mail-order-telephonorder (MOTO),

e-Commerce), or card-present

- Any entities that they connect to for payment transmission or processing, including processor relationships

 A high-level network diagram (either obtained from the entity or created by assessor) of the entity’s networking topography that

includes:

- Connections into and out of the network

- Critical components within the cardholder data environment, including POS devices, systems, databases, and web servers, as

applicable

- Other necessary payment components, as applicable

2 Description of Scope of Work and Approach Taken

Describe the scope, per the Scope of Assessment section of this document, including the following:

 Document how the assessor validated the accuracy of the PCI DSS scope for the assessment, including:

- The methods or processes used to identify and document all existences of cardholder data

- How the results were evaluated and documented

- How the effectiveness and accuracy of the methods used were verified

- That the assessor validates that the scope of the assessment is accurate and appropriate

 Environment on which assessment focused (for example, client’s Internet access points, internal corporate network, processing

connections)

 If network segmentation is in place and was used to reduce scope of the PCI DSS review, briefly explain that segmentation and

how assessor validated the effectiveness of the segmentation

 If sampling is used during the assessment, for each sample set selected (of business facilities/system components) document the

following:

- Total population

- Number sampled

- Rationale for sample selected

- Description of the standardized PCI DSS security and operational processes and controls used to determine sample size, and how the processes/controls were validated

- How the sample is appropriate and representative of the overall population

- Description of any locations or environments that store, process, or transmit cardholder data that were EXCLUDED from the

scope of the review, and why these locations/environments were excluded

 List any wholly-owned entities that require compliance with the PCI DSS, and whether they are reviewed separately or as part of

this assessment

 List any international entities that require compliance with the PCI DSS, and whether they are reviewed separately or as part of this

assessment

 List any wireless LANs and/or wireless payment applications (for example, POS terminals) that are connected to, or could impact

the security of the cardholder data environment, and describe security in place for these wireless environments

 The version of the PCI DSS Requirements and Security Assessment Procedures document used to conduct the assessment

3 Details about Reviewed Environment

Include the following details in this section:

 A diagram of each piece of the communication link, including LAN, WAN or Internet

 Description of cardholder data environment, for example:

- Document transmission and processing of cardholder data, including authorization, capture, settlement, chargeback and other flows as applicable

- List of files and tables that store cardholder data, supported by an inventory created (or obtained from the client) and retained

by the assessor in the work papers This inventory should include, for each cardholder data store (file, table, etc.):

 List all of the elements of stored cardholder data

 How data is secured

 How access to data stores are logged

 List of hardware and critical software in use in the cardholder data environment, along with description of function/use for each

 List of service providers and other third parties with which the entity shares cardholder data

Note: These entities are subject to PCI DSS Requirement 12.8.)

 List of third-party payment application products and versions numbers in use, including whether each payment application has been validated according to PA-DSS Even if a payment application has been PA-DSS validated, the assessor still needs to verify that the application has been implemented in a PCI DSS compliant manner and environment, and according to the payment

application vendor’s PA-DSS Implementation Guide

Note: It is not a PCI DSS requirement to use PA-DSS validated applications Please consult with each payment brand individually

to understand their PA-DSS compliance requirements.)

 List of individuals interviewed, their organizations, titles, and topics covered

 List of documentation reviewed

 For managed service provider (MSP) reviews, the assessor must clearly identify which requirements in this document apply to the MSP (and are included in the review), and which are not included in the review and are the responsibility of the MSP’s customers

to include in their reviews Include information about which of the MSP’s IP addresses are scanned as part of the MSP’s quarterly vulnerability scans, and which IP addresses are the responsibility of the MSP’s customers to include in their own quarterly scans

4 Contact Information and Report Date

Include:

 Contact information for merchant or service provider and assessor

 Timeframe of assessment—specify the duration and the time period over which the assessment occurred

 Date of report

5 Quarterly Scan Results

 Summarize the four most recent quarterly ASV scan results in the Executive Summary as well as in comments at Requirement

For subsequent years after the initial PCI DSS review, four passing quarterly scans must have occurred

 Scan must cover all externally accessible (Internet-facing) IP addresses in existence at the entity, in accordance with the PCI

Approved Scanning Vendors (ASV) Program Guide

6 Findings and Observations

Summarize in the Executive Summary any findings that may not fit into the standard Report on Compliance template format

All assessors must:

 Use the Detailed PCI DSS Requirements and Security Assessment Procedures template to provide detailed report descriptions and findings on each requirement and sub-requirement

 Ensure that all N/A responses are clearly explained

 Review and document any compensating controls considered to conclude that a control is in place

See ―Compensating Controls‖ section above and Appendices B and C for more details on compensating controls

Revalidation of Open Items

A ―controls in place‖ report is required to verify compliance The report is considered non-compliant if it contains ―open items,‖ or items that will be finished at a future date The merchant/service provider must address these items before validation is completed After open items are addressed

by the merchant/service provider, the assessor will then reassess to validate that the remediation occurred and that all requirements are satisfied After revalidation, the assessor will issue a new Report on Compliance, verifying that the cardholder data environment is fully compliant, and

PCI DSS Compliance – Completion Steps

1 Complete the Report on Compliance (ROC) according to the section above entitled ―Instructions and Content for Report on Compliance.‖

2 Ensure passing vulnerability scan(s) have been completed by a PCI SSC Approved Scanning Vendor (ASV), and obtain evidence of passing scan(s) from the ASV

3 Complete the Attestation of Compliance for Service Providers or Merchants, as applicable, in its entirety Attestations of Compliance are available on the PCI SSC website (www.pcisecuritystandards.org)

4 Submit the ROC, evidence of a passing scan, and the Attestation of Compliance, along with any other requested documentation, to the acquirer (for merchants) or to the payment brand or other requester (for service providers)

Detailed PCI DSS Requirements and Security Assessment Procedures

For the PCI DSS Requirements and Security Assessment Procedures, the following defines the table column headings:

 PCI DSS Requirements – This column defines the Data Security Standard and lists requirements to achieve PCI DSS compliance;

compliance will be validated against these requirements

 Testing Procedures – This column shows processes to be followed by the assessor to validate that PCI DSS requirements are ―in place.‖

 In Place – This column must be used by the assessor to provide a brief description of

the controls which were validated as ―in place‖ for each requirement, including

descriptions of controls found to be in place as a result of compensating controls, or as a

result of a requirement being ―Not Applicable.‖

 Not in Place – This column must be used by the assessor to provide a brief description of controls that are not in place Note that a

compliant report should not be submitted to a payment brand or acquirer unless specifically requested , For further instructions on compliant reports, please refer to the Attestations of Compliance, available on the PCI SSC website (www.pcisecuritystandards.org)

non- Target Date/Comments – For those controls ―Not in Place‖ the assessor may include a target date that the merchant or service provider

expects to have controls ―In Place.‖ Any additional notes or comments may be included here as well

Note: This column must not be used for

controls that are not yet in place or for open items to be completed at a future date

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Firewalls are devices that control computer traffic allowed between an entity’s networks (internal) and untrusted networks (external), as well as traffic into and out of more sensitive areas within an entity’s internal trusted networks The cardholder data environment is an example of a more sensitive area within an entity’s trusted network

A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria

All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employee Internet access through desktop browsers, employee e-mail access, dedicated connections such as business-to-business connections, via wireless networks, or via other sources Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into key systems Firewalls are a key protection mechanism for any computer network

Other system components may provide firewall functionality, provided they meet the minimum requirements for firewalls as provided in

Requirement 1 Where other system components are used within the cardholder data environment to provide firewall functionality, these devices must be included within the scope and assessment of Requirement 1

Place

Target Date/ Comments

1.1 Establish firewall and router

configuration standards that include the

following:

1.1 Obtain and inspect the firewall and router configuration

standards and other documentation specified below to verify that standards are complete Complete the following:

1.1.1 A formal process for approving

and testing all network connections and

changes to the firewall and router

configurations

1.1.1 Verify that there is a formal process for testing and approval

of all network connections and changes to firewall and router

configurations

1.1.2 Current network diagram with all

connections to cardholder data,

including any wireless networks

1.1.2.a Verify that a current network diagram (for example, one

that shows cardholder data flows over the network) exists and that

it documents all connections to cardholder data, including any

wireless networks

1.1.3 Requirements for a firewall at

each Internet connection and between

any demilitarized zone (DMZ) and the

internal network zone

1.1.3.a Verify that firewall configuration standards include

requirements for a firewall at each Internet connection and

between any DMZ and the internal network zone

1.1.3.b Verify that the current network diagram is consistent with

the firewall configuration standards

PCI DSS Requirements Testing Procedures In Place Not in

Place

Target Date/ Comments

1.1.4 Description of groups, roles, and

responsibilities for logical management

of network components

1.1.4 Verify that firewall and router configuration standards include

a description of groups, roles, and responsibilities for logical

management of network components

1.1.5 Documentation and business

justification for use of all services,

protocols, and ports allowed, including

documentation of security features

implemented for those protocols

considered to be insecure

Examples of insecure services,

protocols, or ports include but are not

limited to FTP, Telnet, POP3, IMAP,

and SNMP

1.1.5.a Verify that firewall and router configuration standards

include a documented list of services, protocols and ports necessary for business—for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH),

and Virtual Private Network (VPN) protocols

1.1.5.b Identify insecure services, protocols, and ports allowed;

and verify they are necessary and that security features are documented and implemented by examining firewall and router configuration standards and settings for each service

1.1.6 Requirement to review firewall

and router rule sets at least every six

months

1.1.6.a Verify that firewall and router configuration standards

require review of firewall and router rule sets at least every six

months

1.1.6.b Obtain and examine documentation to verify that the rule

sets are reviewed at least every six months

1.2 Build firewall and router

configurations that restrict connections

between untrusted networks and any

system components in the cardholder

data environment

Note: An ―untrusted network‖ is any

network that is external to the networks

belonging to the entity under review,

and/or which is out of the entity's ability to

control or manage

1.2 Examine firewall and router configurations to verify that

connections are restricted between untrusted networks and system components in the cardholder data environment, as follows:

1.2.1 Restrict inbound and outbound

traffic to that which is necessary for the

cardholder data environment

1.2.1.a Verify that inbound and outbound traffic is limited to that

which is necessary for the cardholder data environment, and that the restrictions are documented

1.2.1.b Verify that all other inbound and outbound traffic is

specifically denied, for example by using an explicit ―deny all‖ or

an implicit deny after allow statement

PCI DSS Requirements Testing Procedures In Place Not in

Place

Target Date/ Comments

1.2.2 Secure and synchronize router

configuration files

1.2.2 Verify that router configuration files are secure and

synchronized—for example, running configuration files (used for normal running of the routers) and start-up configuration files (used when machines are re-booted), have the same, secure

configurations

1.2.3 Install perimeter firewalls between

any wireless networks and the

cardholder data environment, and

configure these firewalls to deny or

control (if such traffic is necessary for

business purposes) any traffic from the

wireless environment into the

cardholder data environment

1.2.3 Verify that there are perimeter firewalls installed between

any wireless networks and systems that store cardholder data, and that these firewalls deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment

into the cardholder data environment

1.3 Prohibit direct public access between

the Internet and any system component

in the cardholder data environment

1.3 Examine firewall and router configurations—including but not limited to the choke router at the Internet, the DMZ router and firewall, the DMZ cardholder segment, the perimeter router, and the internal cardholder network segment—to determine that there is no direct access between the Internet and system components in the

internal cardholder network segment, as detailed below

1.3.1 Implement a DMZ to limit inbound

traffic to only system components that

provide authorized publicly accessible

services, protocols, and ports

1.3.1 Verify that a DMZ is implemented to limit inbound traffic to

only system components that provide authorized publicly accessible services, protocols, and ports

1.3.2 Limit inbound Internet traffic to IP

addresses within the DMZ

1.3.2 Verify that inbound Internet traffic is limited to IP addresses

within the DMZ

1.3.3 Do not allow any direct

connections inbound or outbound for

traffic between the Internet and the

cardholder data environment

1.3.3 Verify direct connections inbound or outbound are not

allowed for traffic between the Internet and the cardholder data

environment

1.3.4 Do not allow internal addresses to

pass from the Internet into the DMZ

1.3.4 Verify that internal addresses cannot pass from the Internet

into the DMZ

1.3.5 Do not allow unauthorized

outbound traffic from the cardholder

data environment to the Internet

1.3.5 Verify that outbound traffic from the cardholder data

environment to the Internet is explicitly authorized

PCI DSS Requirements Testing Procedures In Place Not in

Place

Target Date/ Comments

1.3.6 Implement stateful inspection,

also known as dynamic packet filtering

(That is, only ―established‖ connections

are allowed into the network.)

1.3.6 Verify that the firewall performs stateful inspection (dynamic

packet filtering) (Only established connections should be allowed

in, and only if they are associated with a previously established

session.)

1.3.7 Place system components that

store cardholder data (such as a

database) in an internal network zone,

segregated from the DMZ and other

untrusted networks

1.3.7 Verify that system components that store cardholder data

are on an internal network zone, segregated from the DMZ and

other untrusted networks

1.3.8 Do not disclose private IP

addresses and routing information to

unauthorized parties

Note: Methods to obscure IP

addressing may include, but are not

limited to:

 Network Address Translation (NAT)

 Placing servers containing

cardholder data behind proxy

servers/firewalls or content caches,

 Removal or filtering of route

advertisements for private networks

that employ registered addressing,

 Internal use of RFC1918 address

space instead of registered

addresses

1.3.8.a Verify that methods are in place to prevent the disclosure

of private IP addresses and routing information from internal networks to the Internet

1.3.8.b Verify that any disclosure of private IP addresses and

routing information to external entities is authorized

1.4 Install personal firewall software on

any mobile and/or employee-owned

computers with direct connectivity to the

Internet (for example, laptops used by

employees), which are used to access

the organization’s network

1.4.a Verify that mobile and/or employee-owned computers with

direct connectivity to the Internet (for example, laptops used by employees), and which are used to access the organization’s

network, have personal firewall software installed and active

1.4.b Verify that the personal firewall software is configured by the

organization to specific standards and is not alterable by users of

mobile and/or employee-owned computers

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Malicious individuals (external and internal to an entity) often use vendor default passwords and other vendor default settings to compromise systems These passwords and settings are well known by hacker communities and are easily determined via public information

Place

Target Date/ Comments

2.1 Always change vendor-supplied

defaults before installing a system on the

network, including but not limited to

passwords, simple network management

protocol (SNMP) community strings, and

elimination of unnecessary accounts

2.1 Choose a sample of system components, and attempt to log on

(with system administrator help) to the devices using default vendor-supplied accounts and passwords, to verify that default accounts and passwords have been changed (Use vendor manuals and sources on the Internet to find vendor-supplied

accounts/passwords.)

2.1.1 For wireless environments

connected to the cardholder data

environment or transmitting cardholder

data, change wireless vendor defaults,

including but not limited to default

wireless encryption keys, passwords,

and SNMP community strings

2.1.1 Verify the following regarding vendor default settings for

wireless environments:

2.1.1.a Verify encryption keys were changed from default at

installation, and are changed anytime anyone with knowledge of the keys leaves the company or changes positions

2.1.1.b Verify default SNMP community strings on wireless

devices were changed

2.1.1.c Verify default passwords/passphrases on access points

were changed

2.1.1.d Verify firmware on wireless devices is updated to support

strong encryption for authentication and transmission over wireless networks

2.1.1.e Verify other security-related wireless vendor defaults were

changed, if applicable

PCI DSS Requirements Testing Procedures In Place Not in

Place

Target Date/ Comments 2.2 Develop configuration standards for

all system components Assure that

these standards address all known

security vulnerabilities and are consistent

with industry-accepted system hardening

standards

Sources of industry-accepted system

hardening standards may include, but are

not limited to:

 Center for Internet Security (CIS)

 International Organization for

standards

2.2.b Verify that system configuration standards are updated as

new vulnerability issues are identified, as defined in Requirement

6.2

2.2.c Verify that system configuration standards are applied when

new systems are configured

2.2.d Verify that system configuration standards include each item

below (2.2.1 – 2.2.4)

2.2.1 Implement only one primary

function per server to prevent functions

that require different security levels

from co-existing on the same server

(For example, web servers, database

servers, and DNS should be

implemented on separate servers.)

Note: Where virtualization technologies

are in use, implement only one primary

function per virtual system component

2.2.1.a For a sample of system components, verify that only one

primary function is implemented per server

2.2.1.b If virtualization technologies are used, verify that only one

primary function is implemented per virtual system component or device

PCI DSS Requirements Testing Procedures In Place Not in

Place

Target Date/ Comments 2.2.2 Enable only necessary and

secure services, protocols, daemons,

etc., as required for the function of the

system

Implement security features for any

required services, protocols or

daemons that are considered to be

insecure—for example, use secured

technologies such as SSH, S-FTP,

SSL, or IPSec VPN to protect insecure

services such as NetBIOS, file-sharing,

Telnet, FTP, etc

2.2.2.a For a sample of system components, inspect enabled

system services, daemons, and protocols Verify that only

necessary services or protocols are enabled

2.2.2.b Identify any enabled insecure services, daemons, or

protocols Verify they are justified and that security features are

documented and implemented

2.2.3 Configure system security

parameters to prevent misuse

2.2.3.a Interview system administrators and/or security managers

to verify that they have knowledge of common security parameter settings for system components

2.2.3.b Verify that common security parameter settings are

included in the system configuration standards

2.2.3.c For a sample of system components, verify that common

security parameters are set appropriately

2.2.4 Remove all unnecessary

functionality, such as scripts, drivers,

features, subsystems, file systems, and

unnecessary web servers

2.2.4.a For a sample of system components, verify that all

unnecessary functionality (for example, scripts, drivers, features, subsystems, file systems, etc.) is removed

2.2.4.b Verify enabled functions are documented and support

secure configuration

2.2.4.c Verify that only documented functionality is present on

the sampled system components

PCI DSS Requirements Testing Procedures In Place Not in

Place

Target Date/ Comments 2.3 Encrypt all non-console

administrative access using strong

cryptography Use technologies such

as SSH, VPN, or SSL/TLS for

web-based management and other

non-console administrative access

2.3 For a sample of system components, verify that non-console

administrative access is encrypted by performing the following:

2.3.a Observe an administrator log on to each system to verify

that a strong encryption method is invoked before the administrator’s password is requested

2.3.b Review services and parameter files on systems to

determine that Telnet and other remote login commands are not available for use internally

2.3.c Verify that administrator access to the web-based

management interfaces is encrypted with strong cryptography

2.4 Shared hosting providers must

protect each entity’s hosted environment

and cardholder data These providers

must meet specific requirements as

detailed in Appendix A: Additional PCI

DSS Requirements for Shared Hosting

Providers

2.4 Perform testing procedures A.1.1 through A.1.4 detailed in

Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers for PCI DSS assessments of shared hosting providers, to

verify that shared hosting providers protect their entities’ (merchants

and service providers) hosted environment and data

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and

unusable to that person Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending unprotected PANs using end-user messaging technologies, such as e-mail and instant messaging

Please refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms for definitions of ―strong cryptography‖ and other PCI DSS terms

Place

Target Date/ Comments

3.1 Keep cardholder data storage to a

minimum by implementing data retention

and disposal policies, procedures and

processes, as follows

3.1 Obtain and examine the policies, procedures and processes for

data retention and disposal, and perform the following:

3.1.1 Implement a data retention and

disposal policy that includes:

 Limiting data storage amount and

retention time to that which is

required for legal, regulatory, and

business requirements

 Processes for secure deletion of

data when no longer needed

 Specific retention requirements for

cardholder data

 A quarterly automatic or manual

process for identifying and securely

deleting stored cardholder data that

exceeds defined retention

requirements

3.1.1.a Verify that policies and procedures are implemented and

include legal, regulatory, and business requirements for data retention, including specific requirements for retention of cardholder data (for example, cardholder data needs to be held

for X period for Y business reasons)

3.1.1.b Verify that policies and procedures include provisions for

secure disposal of data when no longer needed for legal, regulatory, or business reasons, including disposal of cardholder

data

3.1.1.c Verify that policies and procedures include coverage for all

storage of cardholder data

Requirements for a review, conducted at least quarterly, to verify that stored cardholder data does not exceed requirements defined

in the data retention policy

PCI DSS Requirements Testing Procedures In Place Not in

Place

Target Date/ Comments

3.1.1.e For a sample of system components that store cardholder

data, verify that the data stored does not exceed the requirements

defined in the data retention policy

3.2 Do not store sensitive authentication

data after authorization (even if

encrypted)

Sensitive authentication data includes the

data as cited in the following

Requirements 3.2.1 through 3.2.3:

Note: It is permissible for issuers and

companies that support issuing services

to store sensitive authentication data if

there is a business justification and the

data is stored securely

3.2.a For issuers and/or companies that support issuing services

and store sensitive authentication data, verify there is a business justification for the storage of sensitive authentication data, and that the data is secured

3.2.b For all other entities, if sensitive authentication data is

received and deleted, obtain and review the processes for securely deleting the data to verify that the data is unrecoverable

3.2.c For each item of sensitive authentication data below, perform

the following steps:

3.2.1 Do not store the full contents of

any track (from the magnetic stripe

located on the back of a card,

equivalent data contained on a chip, or

elsewhere) This data is alternatively

called full track, track, track 1, track 2,

and magnetic-stripe data

Note: In the normal course of business,

the following data elements from the

magnetic stripe may need to be

retained:

 The cardholder‘s name

 Primary account number (PAN)

 Expiration date

 Service code

To minimize risk, store only these data

elements as needed for business

3.2.1 For a sample of system components, examine data sources,

including but not limited to the following, and verify that the full contents of any track from the magnetic stripe on the back of card

or equivalent data on a chip are not stored under any circumstance:

 Incoming transaction data

 All logs (for example, transaction, history, debugging, error)

PCI DSS Requirements Testing Procedures In Place Not in

Place

Target Date/ Comments

3.2.2 Do not store the card verification

code or value (three-digit or four-digit

number printed on the front or back of a

payment card) used to verify

card-not-present transactions

3.2.2 For a sample of system components, examine data sources,

including but not limited to the following, and verify that the digit or four-digit card verification code or value printed on the front of the card or the signature panel (CVV2, CVC2, CID, CAV2 data) is not stored under any circumstance:

three- Incoming transaction data

 All logs (for example, transaction, history, debugging, error)

3.2.3 Do not store the personal

identification number (PIN) or the

encrypted PIN block

3.2.3 For a sample of system components, examine data sources,

including but not limited to the following and verify that PINs and encrypted PIN blocks are not stored under any circumstance:

 Incoming transaction data

 All logs (for example, transaction, history, debugging, error)

3.3 Mask PAN when displayed (the first

six and last four digits are the maximum

number of digits to be displayed)

Notes:

 This requirement does not apply to

employees and other parties with a

legitimate business need to see the

full PAN

 This requirement does not supersede

stricter requirements in place for

displays of cardholder data—for

example, for point-of-sale (POS)

receipts

3.3 Obtain and examine written policies and examine displays of

PAN (for example, on screen, on paper receipts) to verify that primary account numbers (PANs) are masked when displaying cardholder data, except for those with a legitimate business need to

see full PAN

PCI DSS Requirements Testing Procedures In Place Not in

Place

Target Date/ Comments

3.4 Render PAN unreadable anywhere it

is stored (including on portable digital

media, backup media, and in logs) by

using any of the following approaches:

 One-way hashes based on strong

cryptography (hash must be of the

entire PAN)

 Truncation (hashing cannot be used

to replace the truncated segment of

PAN)

 Index tokens and pads (pads must

be securely stored)

 Strong cryptography with associated

key-management processes and

procedures

Note: It is a relatively trivial effort for a

malicious individual to reconstruct original

PAN data if they have access to both the

truncated and hashed version of a PAN

Where hashed and truncated versions of

the same PAN are present in an entity‘s

environment, additional controls should

be in place to ensure that the hashed and

truncated versions cannot be correlated

to reconstruct the original PAN

3.4.a Obtain and examine documentation about the system used to

protect the PAN, including the vendor, type of system/process, and the encryption algorithms (if applicable) Verify that the PAN is rendered unreadable using any of the following methods:

 One-way hashes based on strong cryptography

 Truncation

 Index tokens and pads, with the pads being securely stored

 Strong cryptography, with associated key-management processes and procedures

3.4.b Examine several tables or files from a sample of data

repositories to verify the PAN is rendered unreadable (that is, not

stored in plain-text)

3.4.c Examine a sample of removable media (for example, back-up

tapes) to confirm that the PAN is rendered unreadable

3.4.d Examine a sample of audit logs to confirm that the PAN is

rendered unreadable or removed from the logs

3.4.1 If disk encryption is used (rather

than file- or column-level database

encryption), logical access must be

managed independently of native

operating system access control

mechanisms (for example, by not using

local user account databases)

Decryption keys must not be tied to

user accounts

3.4.1.a If disk encryption is used, verify that logical access to

encrypted file systems is implemented via a mechanism that is separate from the native operating systems mechanism (for

example, not using local user account databases)

3.4.1.b Verify that cryptographic keys are stored securely (for

example, stored on removable media that is adequately protected

with strong access controls)

3.4.1.c Verify that cardholder data on removable media is

encrypted wherever stored

Note: If disk encryption is not used to encrypt removable media,

PCI DSS Requirements Testing Procedures In Place Not in

Place

Target Date/ Comments

3.5 Protect any keys used to secure

cardholder data against disclosure and

misuse:

Note: This requirement also applies to

key-encrypting keys used to protect

data-encrypting keys—such key-data-encrypting

keys must be at least as strong as the

data-encrypting key

3.5 Verify processes to protect keys used for encryption of

cardholder data against disclosure and misuse by performing the following:

3.5.1 Restrict access to cryptographic

keys to the fewest number of

custodians necessary

3.5.1 Examine user access lists to verify that access to keys is

restricted to the fewest number of custodians necessary

3.5.2 Store cryptographic keys securely

in the fewest possible locations and

forms

3.5.2.a Examine system configuration files to verify that keys are

stored in encrypted format and that key-encrypting keys are stored separately from data-encrypting keys

3.5.2.b Identify key storage locations to verify that keys are stored

in the fewest possible locations and forms

3.6 Fully document and implement all

key-management processes and

procedures for cryptographic keys used

for encryption of cardholder data,

including the following:

Note: Numerous industry standards for

key management are available from

various resources including NIST, which

can be found at http://csrc.nist.gov

3.6.a Verify the existence of key-management procedures for keys

used for encryption of cardholder data

3.6.b For service providers only: If the service provider shares keys

with their customers for transmission or storage of cardholder data, verify that the service provider provides documentation to

customers that includes guidance on how to securely transmit, store and update customer’s keys, in accordance with Requirements 3.6.1 through 3.6.8 below

3.6.1 Verify that key-management procedures are implemented to

require the generation of strong keys

3.6.2 Secure cryptographic key

distribution

3.6.2 Verify that key-management procedures are implemented to

require secure key distribution

3.6.3 Secure cryptographic key storage 3.6.3 Verify that key-management procedures are implemented to

require secure key storage

PCI DSS Requirements Testing Procedures In Place Not in

Place

Target Date/ Comments

3.6.4 Cryptographic key changes for

keys that have reached the end of their

cryptoperiod (for example, after a

defined period of time has passed

and/or after a certain amount of

cipher-text has been produced by a given

key), as defined by the associated

application vendor or key owner, and

based on industry best practices and

guidelines (for example, NIST Special

Publication 800-57)

3.6.4 Verify that key-management procedures are implemented to

require periodic key changes at the end of the defined

cryptoperiod

3.6.5 Retirement or replacement (for

example, archiving, destruction, and/or

revocation) of keys as deemed

necessary when the integrity of the key

has been weakened (for example,

departure of an employee with

knowledge of a clear-text key), or keys

are suspected of being compromised

Note: If retired or replaced

cryptographic keys need to be retained,

these keys must be securely archived

(for example, by using a key encryption

key) Archived cryptographic keys

should only be used for

decryption/verification purposes

3.6.5.a Verify that key-management procedures are implemented

to require the retirement of keys when the integrity of the key has been weakened

3.6.5.b Verify that the key-management procedures are

implemented to require the replacement of known or suspected

compromised keys

3.6.5.c If retired or replaced cryptographic keys are retained,

verify that these keys are not used for encryption operations

PCI DSS Requirements Testing Procedures In Place Not in

Place

Target Date/ Comments

3.6.6 If manual clear-text cryptographic

key management operations are used,

these operations must be managed

using split knowledge and dual control

(for example, requiring two or three

people, each knowing only their own

key component, to reconstruct the

whole key)

Note: Examples of manual key

management operations include, but

are not limited to: key generation,

transmission, loading, storage and

destruction

3.6.6 Verify that manual clear-text key-management procedures

require split knowledge and dual control of keys

3.6.7 Prevention of unauthorized

substitution of cryptographic keys

3.6.7 Verify that key-management procedures are implemented to

require the prevention of unauthorized substitution of keys

3.6.8 Requirement for cryptographic

key custodians to formally acknowledge

that they understand and accept their

key-custodian responsibilities

3.6.8 Verify that key-management procedures are implemented to

require key custodians to acknowledge (in writing or electronically) that they understand and accept their key-custodian

responsibilities

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals Misconfigured

wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments

Place

Target Date/ Comments

4.1 Use strong cryptography and security

protocols (for example, SSL/TLS, IPSEC,

SSH, etc.) to safeguard sensitive

cardholder data during transmission over

open, public networks

Examples of open, public networks that

are in scope of the PCI DSS include but

are not limited to:

4.1 Verify the use of security protocols wherever cardholder data is

transmitted or received over open, public networks

Verify that strong cryptography is used during data transmission, as follows:

4.1.a Select a sample of transactions as they are received and

observe transactions as they occur to verify that cardholder data is

encrypted during transit

4.1.b Verify that only trusted keys and/or certificates are accepted

4.1.c Verify that the protocol is implemented to use only secure

configurations, and does not support insecure versions or

configurations

4.1.d Verify that the proper encryption strength is implemented for

the encryption methodology in use (Check vendor

recommendations/best practices.)

4.1.e For SSL/TLS implementations:

 Verify that HTTPS appears as a part of the browser Universal Record Locator (URL)

 Verify that no cardholder data is required when HTTPS does not appear in the URL

PCI DSS Requirements Testing Procedures In Place Not in

Place

Target Date/ Comments

4.1.1 Ensure wireless networks

transmitting cardholder data or

connected to the cardholder data

environment, use industry best

practices (for example, IEEE 802.11i) to

implement strong encryption for

authentication and transmission

Note: The use of WEP as a security

control was prohibited as of 30 June

2010

4.1.1 For wireless networks transmitting cardholder data or

connected to the cardholder data environment, verify that industry best practices (for example, IEEE 802.11i) are used to implement strong encryption for authentication and transmission

4.2 Never send unprotected PANs by

end-user messaging technologies (for

example, e-mail, instant messaging, chat,

etc.)

4.2.a Verify that PAN is rendered unreadable or secured with strong

cryptography whenever it is sent via end-user messaging technologies

4.2.b Verify the existence of a policy stating that unprotected PANs

are not to be sent via end-user messaging technologies

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software or programs

Malicious software, commonly referred to as ―malware‖—including viruses, worms, and Trojans—enters the network during many

business-approved activities including employee e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and

evolving malicious software threats

Place

Target Date/ Comments

5.1 Deploy anti-virus software on all

systems commonly affected by malicious

software (particularly personal computers

and servers)

5.1 For a sample of system components including all operating

system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists

5.1.1 Ensure that all anti-virus

programs are capable of detecting,

removing, and protecting against all

known types of malicious software

5.1.1 For a sample of system components, verify that all anti-virus

programs detect, remove, and protect against all known types of malicious software (for example, viruses, Trojans, worms,

spyware, adware, and rootkits)

5.2 Ensure that all anti-virus mechanisms

are current, actively running, and

generating audit logs

5.2 Verify that all anti-virus software is current, actively running, and

generating logs by performing the following:

5.2.a Obtain and examine the policy and verify that it requires

updating of anti-virus software and definitions

5.2.b Verify that the master installation of the software is enabled

for automatic updates and periodic scans

5.2.c For a sample of system components including all operating

system types commonly affected by malicious software, verify that automatic updates and periodic scans are enabled

5.2.d For a sample of system components, verify that anti-virus

software log generation is enabled and that such logs are retained

in accordance with PCI DSS Requirement 10.7